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Abstract 

We present an efficient algorithm to reduce the size of nondeter- 
ministic Biichi word automata, while retaining their language. Ad- 
ditionally, we describe methods to solve PSPACE-complete au- 
tomata problems like universality, equivalence and inclusion for 
much larger instances (1-3 orders of magnitude) than before. This 
can be used to scale up applications of automata in formal verifica- 
tion tools and decision procedures for logical theories. 

The algorithm is based on new transition pruning techniques. 
These use criteria based on combinations of backward and forward 
trace inclusions. Since these relations are themselves PSPACE- 
complete, we describe methods to compute good approximations 
of them in polynomial time. 

Extensive experiments show that the average-case complexity 
of our algorithm scales quadratically. The size reduction of the au- 
tomata depends very much on the class of instances, but our algo- 
rithm consistently outperforms all previous techniques by a wide 
margin. We tested our algorithm on Biichi automata derived from 
LTL-formulae, many classes of random automata and automata de- 
rived from mutual exclusion protocols, and compared its perfor- 
mance to the well-known automata tool GOAL [34]. 

Categories and Subject Descriptors D.2.4 [Software Verifica- 
tion] : Model checking; F. 1 . 1 [Models of Computation] : Automata 

General Terms Automata minimization, inclusion checking 

Keywords Biichi automata, simulation, minimization 

1. Introduction 

Nondeterministic Biichi automata are an effective way to represent 
and manipulate co-regular languages, since they are closed under 
boolean operations. They appear in many automata-based formal 
software verification methods, as well as in decision procedures 
for logical theories. For example, in LTL software model check- 
ing [13, 22], temporal logic specifications are converted into Biichi 
automata. In other cases, different versions of a program (obtained 
by abstraction or refinement of the original) are translated into au- 
tomata whose languages are then compared. Testing the confor- 
mance of an implementation with its requirements specification 
thus reduces to a language inclusion or language equivalence prob- 
lem. Another application of Biichi automata in software engineer- 
ing is program termination analysis by the size-change termination 
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method [15, 26]. Via an abstraction of the effect of program oper- 
ations on data, the termination problem can often be reduced to a 
language inclusion problem about two derived Biichi automata. 

Our goal is to improve the efficiency and scalability of automata- 
based formal software verification methods. We consider efficient 
algorithms for the minimization of automata, in the sense of obtain- 
ing a smaller automaton with the same language, though not neces- 
sarily with the absolute minimal possible number of states. (And, in 
general, the minimal automaton for a language is not even unique.) 
The reason to perform minimization is that the smaller minimized 
automaton is more efficient to handle in a subsequent computation. 
Thus there is an algorithmic tradeoff between the effort for min- 
imization and the complexity of the problem later considered for 
this automaton. If only computationally easy questions are asked 
(e.g., reachability/emptiness; solvable in Logspace/PTIME) then 
extensive minimization usually does not pay off. Instead, the main 
applications are the following: 

1. Computationally hard automata problems like universality, 
equivalence, and inclusion. These are PSPACE-complete [25], 
but many practically efficient methods have been developed 
[3, 4, 6, 10, 11, 15, 16, 29]. Still, these all have exponential 
time complexity and do not scale well. Typically they are ap- 
plied to automata with 15-100 states (unless the automaton has 
a particularly simple structure). Thus, one should first minimize 
the automata before applying these exponential-time methods. 
A good minimization algorithm makes it possible to solve much 
larger instances. Even better, many instances of the PSPACE- 
complete universality, equivalence, and inclusion problems can 
already be solved in the polynomial time minimization algo- 
rithm (e.g., by reducing the automaton to the trivial universal 
automaton), so that the complete exponential time methods only 
need to be invoked in a small minority of instances. 

2. Cases where the size of an automaton strongly affects the 
complexity of an algorithm. In LTL model checking [22] one 
searches for loops in a graph that is the product of a large system 
specification with an automaton derived from an LTL-formula. 
Smaller automata often make this easier, though in practice it 
also depends on the degree of nondeterminism [30]. 

3. Procedures that combine and modify automata repeatedly. 
Model checking algorithms and automata-based decision pro- 
cedures for logical theories compute automata products, unions, 
complements, projections, etc., and thus the sizes of automata 
grow rapidly. Thus, it is important to intermittently minimize 
the automata to keep their size manageable, e.g., [27]. 

In general, finding an automaton with the minimal number of 
states for a given language is computationally hard; even decid- 
ing whether a given automaton is minimal is already PSPACE- 
complete [23]. Thus much effort has been devoted to finding meth- 
ods for partial minimization [8, 13, 14, 24]. Simulation preorders 
played a central role in these efforts, because they provide PTIME- 
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computable under-approximations of trace inclusions. However, 
the quality of the approximation is insufficient in many practical 
examples. Multipebble simulations [12] yield coarser relations by 
allowing the Duplicator player to hedge her bets in the simulation 
game, but they are not easily computable in practice. 

1. We present methods for transition pruning, i.e., removing tran- 
sitions from automata without changing their language. The 
idea is that certain transitions can be removed, because other 
'better' transitions remain. The 'better' criterion relies on com- 
binations of forward and backward simulations and trace inclu- 
sions. We provide a complete picture which combinations are 
correct to use for pruning. Moreover, the pruned transitions can 
be removed 'in parallel' (i.e., without re-computing the simula- 
tions and trace inclusions after every change), which makes the 
method efficient and practical. 

2. We present an efficient practical method to compute good 
under-approximations of trace inclusions, by introducing looka- 
head simulations. While it is correct to use full trace inclusions 
and maximal-pebble multipebble simulations in our minimiza- 
tion methods, these are not easily computed (PSPACE-hard). 
However, lookahead simulations are PTIME-computable, and 
it is correct to use them instead of the more expensive trace 
inclusions and multipebble simulations. Lookahead itself is a 
classic concept in parsing and many other areas, but it can be 
defined in many different variants. Our contribution is to iden- 
tify and formally describe the lookahead-variant for simulation 
preorders that gives the optimal compromise between efficient 
computability and maximizing the sizes of the relations. 1 Prac- 
tical degrees of lookahead range from 4 to 25, depending on the 
size and shape of the automata. Our experiments show that even 
moderate lookahead helps considerably in obtaining good ap- 
proximations of trace-inclusions and multipebble simulations. 

3. We show that variants of the polynomial time minimization 
algorithm can solve most instances of the PSPACE-complete 
language inclusion problem. Thus, the complete exponential 
time methods of [3, 4, 6, 10, 11, 15, 16] need only be invoked in 
a minority of the cases. This allows to scale language inclusion 
testing to much larger instances (e.g., automata with > 1000 
states) which are beyond traditional methods. 

4. We performed extensive tests of our algorithm on automata of 
up-to 20000 states. These included random automata accord- 
ing to the Tabakov-Vardi model [33], automata obtained from 
LTL formulae, and real-world mutual exclusion protocols. The 
empirically determined average-case time complexity on ran- 
dom automata is quadratic, while the (never observed) worst- 
case complexity is 0(n 4 ). The worst-case space complexity is 
quadratic. Our algorithm always minimizes better, on average, 
than all previously available practical methods. However, the 
exact advantage varies, depending on the type of instances; cf. 
Section 7. For example, consider random automata with 100- 
1000 states, binary alphabet and varying transition density td. 
Random automata with td =1.4 cannot be minimized much by 
any method. The only effect is achieved by the trivial removal 
of dead states which, on average, yields automata of 78% of the 
original size. On the other hand, for t d = 1.8, . . . ,2.2, the best 
previous minimization methods yielded automata of 85%-90% 
of the original size on average, while our algorithm yielded au- 
tomata of 3%-15% of the original size on average. 

While we present our methods in the framework of Biichi automata, 
they directly carry over to the simpler case of finite-word automata. 



1 A thorough literature search showed that this has never been formally 
described so far. 



2. Preliminaries 

A non-deterministic Biichi Automaton (BA) SI is a tuple (E, Q,I,F,8) 
where E is a finite alphabet, Q is a finite set of states, / C Q is 
the set of initial states, F C Q is the set of accepting states, and 
8 C Q x E x Q is the transition relation. We write p q for 
(p, a, q) £ 8. A transition is transient iff any path can contain it at 
most once. To simplify the presentation, we assume that automata 
MS forward and backward complete, i.e., for any state p £ Q and 

symbol a £ E, there exist states qo,qi £ Q s.t. qo p q\. 
Every automaton can be converted into an equivalent complete one 
by adding at most two states and a linear number of transitions. 2 
A state is dead iff either it is not reachable from an initial state, or 
it cannot reach an accepting loop. In our simplification techniques, 
we always remove dead states. 

A Biichi automaton SI describes a set of infinite words (its 
language), i.e., a subset of E m . An infinite trace of SI on a word 
w = OoCJi • • • £ E m (or w-trace) starting in a state qo £ g is an 
infinite sequence of transitions % = qo -°^> q\ • • • . By 7t[0..(] 
we denote the finite prefix ft = qo • • • <?,, and by n[i..] the 
infinite suffix qi q i+ \ ^4 • • • . Finite traces starting in go and 
ending in a state q,„ £ g are defined similarly. A finite or infinite 
trace is initial iff it starts in an initial state go £ I'< if it is infinite, 
then it is fair iff qi £ F for infinitely many i. The language of SI is 
L(SX) = {w £ E™ | SI has an infinite, initial and fair trace on w}. 

Language inclusion. When automata are viewed as a finite rep- 
resentation for languages, it is natural to ask whether two different 
automata represent the same language, or, more generally, to com- 
pare these languages for inclusion. Formally, for two automata SI = 
(E, Q A , I A , F A , 8# ) and <B = (E, Q<g , 1% , F% , 8 S ) we write ACQ iff 
L(SA) C L(<B) a.ndA^'S iff L(Sf) = L((B). The language inclu- 
sion/equivalence problem consists in determining whether SiQ'B 
or SI « 2? holds, respectively. For general non-deterministic au- 
tomata, language inclusion and equivalence are PSPACE-complete 
[25] (which entails that, under standard theoretic-complexity as- 
sumptions, they admit no efficient deterministic algorithm). There- 
fore, one considers suitable under-approximations. 

Definition A preorder C on g^ x g$ is good for inclusion (GFI) 
iff the following holds: If \/q £ I^3q' elyq^q', then SIQ'B. 

In other words, GFI preorders give a sufficient condition for inclu- 
sion, by matching initial states of SI with initial states of 2?. (They 
are not necessary for inclusion since there are several initial states.) 
Moreover, if computing a GFI preorder is efficient, than also inclu- 
sion can be established efficiently. Finally, if a preorder is GFI, then 
all smaller preorders are GFI too, i.e., GFI is C-downward closed. 

Quotienting. Another interesting problem is how to simplify an 
automaton while preserving its semantics, i.e., its language. Gen- 
erally, one tries to reduce the number of states/transitions. This is 
useful because the complexity of decision procedures usually de- 
pends on the size of the input automata. 

A classical operation for reducing the number of states of an 
automaton is that of quotienting, where states of the automaton are 
identified according to a given equivalence, and transitions are pro- 
jected accordingly. Since in practice we obtain quotienting equiva- 
lences from suitable preorders, we directly define quotienting w.r.t. 
a preorder. Formally, fix a BA SI = (E, Q,I,F,8) and a preorder C 
on g, with induced equivalence ==C n □. Given a state q £ g, we 
denote by [q] its equivalence class w.r.t. =, and, for a set of states 
P QQ, [P] is the set of equivalence classes [P] = {[p] \ p £ P}. 



For efficiency reasons, our implementation works directly on incomplete 
automata. 
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Definition The quotient of ft by C is J?/ E= (£, [£>],[/], [F],8'), 
where 5' = [? 2 ]) I 3?'i € [qi],q' 2 € [92]- (?i,0,? 2 ) e 8 }> 

i.e., transitions are induced element-wise. 

Clearly, every trace qo — *h q\ — • • • in SI immediately induces 
a corresponding trace [qo] — ^> [q\] ■■■ in SI/ C, which is 
fair/initial if the former is fair/initial, respectively. Consequently, 
ft Q ft/ E for any preorder C. If, additionally, SI/ C C j?, then we 
say that the preorder E is good for quotienting (GFQ). 

Definition A preorder E is good for quotienting iff ft/ E « j?. 

Like GFI preorders, also GFQ preorders are downward closed 
(since a smaller preorder is quotienting "less"). Therefore, we are 
interested in efficiently computable GFI/GFQ preorders. A classi- 
cal example is given by simulation relations. 

Simulation relations. Basic forward simulation is a binary rela- 
tion on the states of ft; it relates states whose behaviors are step- 
wise related, which allows one to reason about the internal structure 
of automaton SI — i.e., how a word is accepted, and not just whether 
it is accepted. Formally, simulation between two states po and qo 
can be described in terms of a game between two players, Spoiler 
and Duplicator, where the latter wants to prove that qo can step- 
wise mimic any behavior of po, and the former wants to disprove 
it. The game starts in the initial configuration (po,qo)- Inductively, 
given a game configuration (pt,qi) at the i'-th round of the game, 

Spoiler chooses a symbol CJ; e L and a transition pi . Then, 

Duplicator responds by choosing a matching transition q; qi+\, 
and the next configuration is Since the automaton 

is assumed to be complete, the game goes on forever, and the 

two players build two infinite traces 7Io = po — ^> Pi — ^ • • • and 
Tti = qo qi • • • . The winning condition depends on the type 
of simulation, and different types have been considered depend- 
ing on whether one is interested in GFQ or GFI relations. Here, 
we consider direct [10], delayed [14] and/a;> simulation [21]. Let 
x e {di,de,f}. Duplicator wins the play if C x (Ko,Tl\) holds, where 

C*(iH),Jti) V(i > 0) - Pi e f =>■ qi e f (l) 

C^OK), Jll ) ^ V(i > 0) ■ pi <E F => 3(j > i) ■ qj e F (2) 

C f (Jlo,7ti) if Jto is fair, then Jlj is fair (3) 

Intuitively, direct simulation requires that accepting states are 
matched immediately (the strongest condition), while in delayed 
simulation Duplicator is allowed to accept only after a finite delay. 
In fair simulation (the weakest condition), Duplicator must visit ac- 
cepting states only if Spoiler visits infinitely many of them. Thus, 

(rco,7ti) implies C de (7to,ftl), which, in turn, implies C f (jlo,7Ii). 

We define x-simulation relation E*E Q x Q by stipulating that 
po E* qo iff Duplicator has a winning strategy in the x-simulation 
game, starting from configuration (po,qo); clearly, E dl EE de EE f - 
Simulation between states in different automata ft and H can be 
computed as a simulation on their disjoint union. All these simula- 
tion relations are GFI preorders which can be computed in polyno- 
mial time [10, 14, 20]; moreover, direct and delayed simulation are 
GFQ [14], but fair simulation is not [21]. 

Lemma 2.1 ([10, 14, 20, 21]). For x e {di,de,f}, x-simulation E* 
is a PTIME, GFI preorder, and, for y € {di, de}, Q y is also GFQ. 

Trace inclusions. While simulations are efficiently computable, 
their use is often limited by their size, which can be much smaller 
than other GFI/GFQ preorders. One such example of coarser 
GFI/GFQ preorders is given by trace inclusions, which are ob- 
tained through a modification of the simulation game, as follows. 

In simulation games, the players build two paths Jto,7li by 
choosing single transitions in an alternating fashion; Duplicator 



moves by knowing only the next 1-step move of Spoiler. We can 
obtain coarser relations by allowing Duplicator a certain amount 
of lookahead on Spoiler's moves. In the extremal case of co- 
lookahead, i.e., where Spoiler has to reveal her whole path in ad- 
vance, we obtain trace inclusions. 

Analogously to simulations, we define direct, delayed, and fair 
trace inclusion, as binary relations on Q. For x 6 {di,de,f}, x- 
trace inclusion holds between p and q, written p C x q iff, for 
every word w = GqGi • • • € 2Z (0 , and for every infinite w-trace izq = 
po -°^> p\ -^h ■ ■ ■ starting at po = p, there exists an infinite w-trace 
K\ = qo -°^> q\ -^h ■ ■ ■ starting at qo = q, s.t. (^(jlg, Jti). All these 
trace inclusions are GFI preorders subsuming the corresponding 
simulation, i.e., C x CC X (since Duplicator has more power in the 
trace inclusion game); also, C dl is a subset of C de , which, in turn, 
is a subset of C f . Regarding quotienting, C dl is GFQ (like C dl ; 
this follows from [12]), while C f is not, since it is coarser than fair 
simulation, which is not GFQ [21]. While delayed simulation C de 
is GFQ, delayed trace inclusion C de is not GFQ [8]. 

Lemma 2.2. For x € {di,de,f}, x-trace inclusion C x is a GFI 
preorder. Moreover, C dl is a GFQ preorder. 

Finally, though C de and C dl are incomparable, there exists a com- 
mon generalization included in C de called delayed fixed-word sim- 
ulation which is GFQ [8]. 3 

Backward simulation and trace inclusion. Yet another way of 
obtaining GFQ/GFI preorders is to consider variants of simula- 
tion/trace inclusion which go backwards in time. Backward simula- 
tion C bw ([32], where it is called reverse simulation) is defined like 
ordinary simulation, except that transitions are taken backwards: 
From configuration (pi,qt), Spoiler selects a transition p,-, 
Duplicator replies with a transition qi + \ qj, and the next con- 
figuration is (pi + i,qi + i). Let %o and 71 1 be the two infinite back- 
ward traces built in this way. The corresponding winning condition 
considers both accepting and initial states: 

<=► V(/>0).{ ^ q % F ' (4) 

C bw is an efficiently computable GFQ preorder [32] incomparable 
with forward simulations. It can be used to establish language 
inclusion by matching final states of SI with final states of 2J (dually 
to forward simulations); in this sense, it is GFI. 

Lemma 2.3 ([32]). Backward sim. is a PTIME GFQ/GFI preorder. 

The corresponding notion of backward trace inclusion C bw is de- 
fined as follows: p C bw q iff, for every finite word w = Oo<Ti •••O m _i € 
£*, and for every initial, finite w- trace Jto = Po Pi — 
■ ■ ■ -^-> p m ending in p m = p, there exists an initial, finite w-trace 
%\ = qo qi -^h ■ ■ ■ q,„ ending in q,„ = q, s.t., for any > 0, 
if pi € F, then q/ <E F. Note that backward trace inclusion deals 
with finite traces (unlike forward trace inclusions), which is due 
to the asymmetry between past and future in co-automata. Clearly, 
C bw CC bw ; we observe that even C bw is GFQ/GFI. 

Theorem 2.4. Backward trace inclusion is a GFQ/GFI preorder. 

Proof. We first prove that C bw is GFQ. Let C:= C bw . Let w = 
Oo<5l ••• £ £{ft-l E). and we show w £ L(ft). There exists an 
initial, infinite and fair w-trace Jt = [qo] [qi] • • • . For i > 0, 
let Wj = CTo°l • • "0/ (with w_i = e), and let Ji[0..i] be the w,_i-trace 

3 Delayed fixed-word simulation is defined as a variant of simulation where 
Duplicator has co-lookahead only on the input word w, and not on Spoiler's 
actual w-trace Jto; that it subsumes C dl is non-trivial. 
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prefix of jr. For any i > 0, we build by induction an initial, finite 
w,_i -trace 7t; ending in qi (of length (') visiting at least as many 
accepting states as Tc[0..i] (and at the same time 7c[0..i] does). 

For i = 0, just take the empty e-trace 7Co = qo- For i > 0, assume 
that an initial w,_2-trace 7C,-_ i ending in <?,-_ i has already been built. 

We have the transition [qt-i] [qi\ in L(Si/ O). There exist q 6 
[qi-\\ and q' e [<?,-] s.t. we have a transition g ^\ q' in W.l.o.g. 
we can assume that q' = qi, since [#,•] = [q']. By C bw there 
exists an initial, finite w,_2-trace %' ending in q. By the definition 
of backward inclusion, tc' visits at least as many accepting states 
as Jlj_i, which, by inductive hypothesis, visits at least as many 

accepting states as 7c[0..; — 1]. Therefore, 7C ( - := 7l' qi is an 
initial, finite w,-_i -trace ending in Moreover, if 6 F', then, 
since backward inclusion respects accepting states, [q,] C F, hence 
qi £ F, and, consequently, TC; visits at least as many accepting states 
as 7c[0..i]. Since 71 is fair, the finite, initial traces Jto,7Ii, • • • visit 
unboundedly many accepting states. Since Si is finitely branching, 
by Konig's Lemma there exists an initial, infinite and fair w-trace 
11(0. Therefore, w £ L(Si). 

We now prove that C bw is GFI. Let Si and 2? be two automata. 
For backward notions, we require that every accepting state in Si is 
in relation with an accepting state in 2?. Let w = GqGi • • • G L(Si), 

and let 7Co = po — ^ pi — ^> • • • be an initial and fair w-path in 
Si. Since TCo visits infinitely many accepting states, and since each 
such state is C bw -related to an accepting state in 2?, by using the 
definition of C bw it is possible to build in 2? longer and longer finite 
initial traces in 2? visiting unboundedly many accepting states. 
Since 2? is finitely branching, by Konig's Lemma there exists an 
infinite, initial and fair w-trace it® in 2?. Thus, w £ L((B). □ 

3. Transition Pruning Minimization Techniques 

While quotienting-based minimization techniques reduce the num- 
ber of states by merging them, we explore an alternative method 
which prunes (i.e., removes) transitions. The intuition is that certain 
transitions can be removed from an automaton without changing its 
language when other 'better' transitions remain. 

Definition Let Si = (E, Q,I,F, 8) be a BA and let P a transi- 
tive, asymmetric relation on 8. The pruned automaton is de- 
fined as Prune{Si,P) := (E,g,/,F,5'), with 8' = {(p,C,r) £ 
8\$(p',a'y)e8-( P ,a,r)P(p',a'y)}. 

By the assumptions on P, the pruned automaton Prune(Sl,P) is 
uniquely defined. Notice that transitions are removed 'in parallel'. 
Though P might depend on 8, P is not re-computed even if the 
removal of a single transition changes 8. This is important because 
computing P may be expensive. Since removing transitions cannot 
introduce new words in the language, Prune(Sl,P) C Si. When also 
the converse inclusion holds (so the language is preserved), we say 
that P is good for pruning (GFP), i.e., P is GFP iff Prune(Sl,P) &SI. 
Clearly, GFP is C-downward closed (like GFI and GFQ). 

We study GFP relations obtained by comparing the endpoints of 
transitions over the same input symbol. Formally, given two binary 
relations Rb,Rf Q Q x Q, we define 

P(R b ,R f ) = {(( P ,a,r),(p',a,r')) | pR b p' and rRf/} 

P(-,-) i s monotone in both arguments. In the following, we explore 
which state relations Rb,Rf induce GFP relations P(Rb,Rf). 

It has long been known that P(id,Ll d ') and F(c bw ,W) are 
GFP (see [7] where the removed transitions are called 'little 
brothers'). Moreover, even the relation Rt(c f ) := P(id, C dl ) U 
{((p,G,r), (p,G,/)) | (p,G,r r ) is transient and r C f r 1 } is GFP 
[32], i.e., strict fair trace inclusion suffices if the remaining tran- 
sition can only be used once. However, in general, P(id,(Z f ) is 
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Figure 1. GFP relations P(Ri,,Rf) 



not GFP. Moreover, even if only transient transitions are com- 
pared/pruned, P(c bw , C f ) is not GFP; cf. Fig. 2. 

Theorem 3.1. For every asymmetric and transitive relation R CC dl , 
P(id,R) is GFP. 

Proof. Let Si' = Prune(Si,P(id,R)). We show Si C Si!. If w = 
OqGi • • • G L(Si) then there exists an infinite fair initial trace ft on 
w in Si. We show w £ L(Sl'). 

We call a trace 71 = go —h q\ -^h ■■■ on w in Si i-good if it does 
not contain any transition qj — ■> qj +1 for j < i s.t. there exists an Si 

transition qj — -¥ qj + \ with qj + iRqj +1 (i.e., no such transition is 
used within the first steps). Since Si is finitely branching, for every 
state and symbol there exists at least one ^-maximal successor that 
is still present in Si', because R is asymmetric and transitive. Thus, 
for every /-good trace 7C on w there exists an (i+ l)-good trace tc' 
on w s.t. 7t and 7t' are identical on the first i steps and £T dl (TC,7c'), 
because RCC dl . Since ft is an infinite fair initial trace on w (which 
is trivially 0-good), there exists an infinite initial trace ft on w that is 
i-good for every i and C dl (ft,ft). Moreover, ft is a trace in Si'. Since 
ft is fair and C dl (ft,ft), ft is an infinite fair initial trace on w that is 
i-good for every ('. Therefore ft is a fair initial trace on w in Si! and 
thus we £(.#')• □ 

Theorem 3.2. For every asymmetric and transitive relation RCC hw , 
P(R, id) is GFP. 

Proof. Let Si' = Prune{Si,P{R,id)). We show Si C Si!. If w = 
OoOi ■■■ € L(Si) then there exists an infinite fair initial trace ft on 
w in Si. We show w e -£(-#')• 

We call a trace 7C = qo — h q\ — • • • on w in Si i-good if it does 
not contain any transition qj — -¥ qj+\ for j < i s.t. there exists an Si 

transition qj — qj+\ with qjRqj (i.e., no such transition is used 
within the first i steps). 

We show, by induction on i, the following property (P): For 
every i and every initial trace 71 on w in Si there exists an initial 
i-good trace 7t' on w in Si s.t. 71 and 7t' have identical suffixes from 
step onwards and C dl (7C,7c'). 

The base case = is trivial with tc' = TC. For the induction step 
there are two cases. If 7C is (i + l)-good then we can take 7t' = TC. 

Otherwise there exists a transition q' i — h qi + \ with q/Rq'j. Without 
restriction (since Si is finite and R is asymmetric and transitive) 
we assume that 4i ls ^-maximal among the o,-predecessors of 
qi+\. In particular, the transition q'j qi+\ is present in Si! . Since 
R CC bw , there exists an initial trace 7c" on w that has suffix q' t — 
qi + \ ^4 qi+2-.. and (^(TtjTc"). Then, by induction hypothesis, 
there exists an initial ;-good trace 7c' on w that has suffix q' t 

qi + \ q i+2 ... and (T dl (7c",7c'). Since q\ is ^-maximal among 
the CTj-predecessors of q i+l we obtain that tc' is also (i+ l)-good. 
Moreover, tc' and 7C have identical suffixes from step i+ 1 onwards. 
Finally, by <T di (7t,7c") and (^{n" ',Jc'), we obtain ^'(tc.tc'). 

Given the infinite fair initial trace ft on w in Si, it follows from 
property (P) and Konig's Lemma that there exists an infinite initial 
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trace ft on w that is /-good for every i and C dl (ft,ft). Therefore ft is 
an infinite fair initial trace on w in A' and thus w £ L(A'). □ 

Theorem 3.3. = J?/ C bw f/ien />(c bw , C di ) « GFP. 

Proof. Let = Prune{A,P{[Z b ™ , C di )). We show J? C J?'. Let 
w = GqGi • • • € Then there exists an infinite fair initial trace 

ft on w in A. We show w 6 -£(-*?')• 

We call a trace Jt = go — ^> <7l — ^ • • • on w start-maximal iff it is 
initial and there does not exist any trace Jl' = <j </] -^h ■■■ on w 

s.t. C^JI, Jl') and 90 C bw q'o- We call a trace K = q #i • • • 
on w i-good iff it is start-maximal and JC does not contain any 

transition qj — > qj +1 for j < i s.t. there exists an A transition 

qj — q'j + \ with qj + \ C bw q'j+\ an d there exists an infinite trace 

Ji'U+l..] from^, with C di (7c[j + 1..],«'L/ + 1-]). 

Since A is finite, there are C bw -maximal elements among those 
finitely many successors of every state qj from which there exists 
an infinite trace Jl'[j+1..] with C i \n\j+ l..],Jt'[y + 1..]). Thus, for 
every infinite /-good trace 7t on w there exists an (/ + l)-good trace 
it' on w s.t. Jl and Jl' are identical on the first i steps and (^(ic, Jl'). 

Since there is an infinite fair initial trace ft on w, there also exists 
a start-maximal, and thus 0-good, fair initial trace on w, because 
C bw has maximal elements. Then it follows from the property 
above that there exists an infinite initial trace ft on w that is /-good 
for every i and C dl (ft,ft). In particular, this implies that ft is fair. So 
ft is an infinite fair initial trace on w that is /-good for every i. 

Let now ft = qo -^h q\ -^h • • • . We show that ft is also possible 
in A' by assuming the opposite and deriving a contradiction. Sup- 

pose that ft contains a transition qj — > qj + \ that is not present 
in A'. Then there must exist a transition q'j — q'j + i in A' s.t. 
qj C bw q'j and qj + \ C dl q l j +l - We cannot have j = 0, because in 
this case ft would not be start-maximal and thus not even 1-good. 
So we get j > 1. Since qj C bw q'j and qj_\ -^4 qj there must ex- 
ist a state 4j-\ s -t- 4j an d 9j-i — bw Qj-l- ^ n particular, 
€ F =>■ c/ x+l e F for x e { j - 1, j}. By .3 = J?/ C bw we obtain 
that either <?j_ i = q'j^ or j C bw q'j_ l . The first case would im- 
ply that Jt' is not j-good, because qj + \ C dl and thus yield a 
contradiction. Therefore, we must have qj_\ C bw 4j-\ - We cannot 
have 7 — 1 = 0, because in this case Jl' would not be start-maximal 
and thus not even 1-good. So we get j — 1 > 1. The whole argument 
above repeats with j — 1, j — 2,j — 3, . . . substituted for j until we 
get a contradiction or is reached. Reaching also yields a con- 
tradiction to start-maximality of ft, as above. Therefore ft is a fair 
initial trace on w in A' and thus w £ L(A'). □ 

Theorem 3.4. P(C bw ,c di ) is GFP. 

Proof. Let A' = Prune{A,P{d cm , C d ')). We show .!? C j?'. Let 
w = OoOi • • • 6 L(A). Then there exists an infinite fair initial trace 
ft on w in A. We show w £ L(A'). 

Given some infinite initial trace n — qo <?i • • • on w, we 
call it i-good iff its first i transitions are also possible in A'. 

We now show, by induction on i, the following property (P): For 
every infinite initial trace it — qo q\ • • • on w and every 
(' > 0, there exists an infinite initial trace Jl' = q^ — > q\ — ^ • • • on 
w that is /-good and C^fan') and Vj > i.qj C dl q'j. 

The base case i = is trivially true with it' = jr. For the induction 
step consider an infinite initial trace tz = qo — % q\ — h ■■■ on 



w. By induction hypothesis, there exists an infinite initial trace 
ir 1 = i?q — { h q\ — h ■■■ on w that is /-good and (^'(j^JT 1 ) and 

If JT 1 is (f + l)-good then we are done. Otherwise, the transition 
qj -^q\ +x is not presenting'. Since A' = Prune(A,P{C bvj ,c d ')), 
there must exist a transition qf in A' s.t. C bw qj and 

?J +1 C di It follows from the definitions of C bw and C di that 
there exists an infinite initial trace Jt 2 = q^ -°^> q\ • • • on w 
s.t. C di (n l ,Tt 2 ), q} +1 C di qj +l and Vj > i+l.q) C di q 1 -. (This last 
property uses the fact that C dl propagates forward. Direct trace in- 
clusion C dl does not suffice.) By induction hypothesis, there exists 
an infinite initial trace Jt J = — s> ^rj — ^ • • • on w that is /-good 
and C dl (jc 2 ,Jt 3 ) and Vy > /.q' 2 C dl By transitivity we obtain 
C<V,K 3 ), C di ? 3 +1 and V; > i+ \.q) C di 

If JC 3 is (/+ l)-good then we are done. Otherwise, the argument 
of the above paragraph repeats and we obtain an infinite initial 

trace Jt 5 = q^ qj — h ■■ ■ on w that is /-good and C dl (Jt 3 , JC 5 ), 
that q? +l C dl q? +l and Vj > / + l.^ 3 E dl q 5 j. This process cannot 
repeat infinitely often, because this would imply an infinite strictly 
increasing C dl -chain qj^\ l for x = 0, 1, 2, . . . , which is impossible 
in finite automata. Therefore, for some finite index x, we obtain an 
infinite initial trace jt 1 = q\ q\ -^-¥ ■■ ■ on w that is (/ + 1 )-good 
and, by transitivity, C dl (n,K x ) and Vj > i+l.q j E dl q*j. Thus jt 1 is 
the trace Jl' that we were looking for. 

Given the infinite fair initial trace ft on w in A, it follows from 
property (P) and Konig's Lemma that there exists an infinite initial 
trace ft on w that is /-good for every i and C dl (ft,ft). Therefore ft is 
an infinite fair initial trace on w in A' and thus w £ L(A'). □ 

Theorem 3.4 implies that P(lZ bw , C di ) is GFP, but P(c bw , C di ) 
is not; see Figure 2. Moreover, P(id, C de ) is not GFP (even if 
A = A/\Z Ae ); see Figure 2. 

The quotienting and transition pruning techniques described 
above use intricate combinations of backward and forward simu- 
lations (and more general trace inclusions). In particular, they sub- 
sume previous attempts to combine backward and forward simula- 
tions for automata minimization by mediated preorder [5] (but not 
vice-versa). Mediated preorder is defined as the largest fragment 
M CC di o(IZ bw )- 1 s.t. Mo C di C M. In particular, M is a preorder 
that is GFQ. However, an automaton A that has been minimized by 
the techniques described above cannot be further reduced by me- 
diated preorder. First we have A — A/ C bw = A/ C dl by repeated 
quotienting. Second, there cannot exist any distinct states x,y in A 
s.t. (xC di yAxC bw >') by the pruning techniques above (used with 
simulations as approximations for trace inclusions) and the removal 
of dead states. Under these conditions, quotienting with mediated 
preorder has no effect, as the following theorem shows. 

Theorem 3.5. Let A be an automaton s.t. (1) A = A/ C bw = 
A/^ d < and (2) x C di y Ax C bw y => x = y. Then A = A/M. 

Proof. We show that xMy A yMx => x = y which implies A = A/M. 

Let xMy and yMx. By definition of M there exist mediators z 
s.t. x C di z and y C bw z, and w s.t. x C bw w and y C di w. Since 
Mo C di C M we have xMw. Thus there exists a mediator k s.t. 
x C di k and w C bw k. By transitivity of C bw we also have x C bw k. 
By (2) we get x = k. Thus x C bw w and w C bw x. By (1) we get 
x = w. Thus y C dl w = x C dl z and by transitivity yC dl z. Moreover, 
y C bw z as above. By (2) we get z = y. Thus x C dl z = y and 
y C dl w = x. By (1) we get x = y. □ 
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(a) P(c bw , C dl ) is not GFP: If the dashed transitions pa qo and r\ — 
s\ are removed, then a 5 e t0 is no longer accepted. Note that J? = J?/ C bw = 
J?/ C di . (This example even holds for X*" 1 *", -<* di and /t = 3; cf. Section 4). 




(b) GFP is not closed under (c) P(id. C de ) is not GFP: We 

union: Pruning automaton J? with have q C de p, but removing 

P(W,C di ) U P(C bw ,W) ^ would the dashed transition p 

remove the transitions p -^t r and g makes the language empty, 

q s, and thus aac a would no even though !A = J?/ C de . 
longer be accepted. 




(d) P(c bw ,C f ) is not GFP: In the automaton above, both transi- 
tions p q and q — r are transient. Moreover, r C f q (even 
r C de 4) and q C bw p. However, removing the smaller transition 
q — r changes the language, since a a is no longer accepted. 
Thus, P(c bw , C f ) is not GFP even when one restricts to compar- 
ing/pruning only transient transitions (unlike P(id, C f )). 



Figure 2. Pruning counterexamples. 



4. Lookahead Simulations 

While trace inclusions are theoretically appealing as GFQ/GFI pre- 
orders coarser than simulations, it is not feasible to use them in 
practice, because they are too hard to compute (even their member- 
ship problem is PSPACE-complete). As a first attempt at achieving 
a better trade-off between complexity and size we recall multipeb- 
ble simulations [12], which are obtained by providing Duplicator 
with several pebbles, instead of one. However, computing multi- 
pebble simulations is not feasible in practice either, on automata of 
nontrivial size. Therefore, we explore yet another way of obtain- 
ing good under-approximations of trace inclusion: We introduce 
lookahead simulations, which are obtained by providing Duplicator 
with a limited amount of information about Spoiler's future moves. 
While lookahead itself is a classic concept (e.g., in parsing) it can 
be defined in several different ways in the context of adversarial 
games like in simulation. We compare different variants for com- 
putational efficiency and approximation quality. 



k-pebble simulation. Simulation preorder can be generalized by 
allowing Duplicator to control several pebbles instead of just one. 
In £-pebble simulation, k > 0, Duplicator's position is a set of at 
most k states (while Spoiler still controls exactly 1 state), which 
allows Duplicator to 'hedge her bets' in the simulation game. The 
direct, delayed, fair and backward winning conditions can be gen- 
eralized to the multipebble framework [12]. For x € {di,de,f,bw} 
and k > 0, fc-pebble x-simulation is coarser than x-simulation and 
it implies x-containment; by increasing k, one can control the qual- 
ity of the approximation to trace inclusion. Direct, delayed, fair 
and backward £-pebble simulations are not transitive in general, 
but their transitive closures are GFI preorders; the direct, delayed 
and backward variants are also GFQ. However, computing £-pebble 
simulations is infeasible, even for modest values for k. In fact, for a 
BA with n states, computing fc-pebble simulation requires solving a 
game of size n ■ n k . Even in the simplest case of k = 2 this means at 
least cubic space, which is not practical for large n. For this reason, 
we consider a different way to extend Duplicator's power, i.e., by 
using lookahead on the moves of Spoiler. 

k-step simulation. We generalize simulation by having the play- 
ers select sequences of transitions of length k > instead of sin- 
gle transitions: This gives Duplicator more information, and thus 
yields a larger simulation relation. In general, £-step simulation 
and /r-pebble simulation are incomparable, but fc-step simulation is 
strictly contained in n-pebble simulation. However, the rigid use of 
lookahead in big-steps causes at least two issues: 1) For a BA with 
n states, we need to store only n 2 configurations (p.q) (which is 
much less than fe-pebble simulation). However, in every round we 
have to explore up-to d k different moves for each player (where d is 
the maximal out-degree of the automaton). In practice (e.g., d = 4, 
k = 12) this is still too large. 2) Duplicator's lookahead varies be- 
tween 1 and k, depending where she is in her response to Spoiler's 
long move. Thus, Duplicator might lack lookahead where it is most 
needed, while having a large lookahead in other situations where it 
is not useful. In the next notion, we attempt at ameliorating this. 

k-continuous simulation. Duplicator is continuously kept in- 
formed about Spoiler's next k moves, i.e., she always has looka- 
head k. Formally, a configuration of the simulation game consists 
in a pair (p;,g;), where p,- is the sequence of the next k — 1 moves 
from pi that Spoiler has already committed to. In every round of 
the game, Spoiler reveals another move k steps in the future, and 
then makes the first of her announced k moves, to which Dupli- 
cator responds as usual. A pair of states (p, q) is in ^-continuous 
simulation if Duplicator can win this game from every configura- 
tion (p,q), where p is a sequence of k— 1 moves from p. (k= 1 is 
ordinary simulation.) ^-continuous simulation is strictly contained 
in n-pebble simulation (but incomparable with fc-pebble simula- 
tion), and larger than fc-step simulation. While this is arguably the 
strongest way of giving lookahead to Duplicator, it requires storing 
n 2 ■ d k ~ x configurations, which is infeasible for nontrivial n and k 
(e.g.,n= 10000, d = 4, £ = 12). 

k-lookahead simulation. We introduce A>lookahead simulation 
as an optimal compromise between fc-step and ^-continuous simu- 
lation. Intuitively, we put the lookahead under Duplicator's control, 
who can choose at each round how much lookahead she needs (up 
to k). Formally, configurations are pairs {pi,qt) of states. In every 
round of the game, Spoiler chooses a sequence of k consecutive 

transitions pi -^7 pi + \ -^4 • • • ^> pi+k - Duplicator then chooses 
a number 1 < m < k and responds with a matching sequence of 

m transitions qi — >■ qi + \ — > ■ ■ ■ — > qi+ m . The remaining k — m 
moves of Spoiler are forgotten, and the next round of the game 
starts at (p;+ m , <?;+/«)■ In this wa y, the players build two infinite 
traces 7Iq from po and Tl\ from qg. Backward simulation is de- 
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fined similarly with backward transitions. For acceptance condition 
x e {di,de,f,bw}, Duplicator wins this play if C x {t^,%\) holds. 

Definition Two states (po,1o) are m k-lookahead x- simulation, 
written po O k ' x q Q , iff Duplicator has a winning strategy in the 
above game. 

Since Q k ' x is not transitive (unless k = 1; cf. Appendix B), we 
denote its transitive closure, which is a preorder, by -< k ' x , and its 
asymmetric restriction by _<*-* = ^*-* 

Lookahead simulation offers the optimal trade-off between k- 
step and ^-continuous simulation. Since the lookahead is discarded 
at each round, ^-lookahead simulation is (strictly) included in k- 
continuous lookahead (where the lookahead is never discarded). 
However, this has the benefit of only requiring to store n 2 con- 
figurations, which makes computing lookahead simulation space- 
efficient. On the other side, when Duplicator always chooses a max- 
imal reply m = k we recover fc-step simulation, which is thus in- 
cluded in fc-lookahead simulation. Moreover, thanks to the fact that 
Duplicator controls the lookahead, most rounds of the game can 
be solved without ever reaching the maximal lookahead k: 1) for 
a fixed attack by Spoiler, we only consider Duplicator's responses 
for small m = l,2,...,k until we find a winning one, and 2) also 
Spoiler's attacks can be built incrementally since, if she loses for 
some lookahead h, then she also loses for h'>h. In practice, this 
greatly speeds up the computation, and allows us to use lookaheads 
in the range 4-25, depending on the size and structure of the au- 
tomata; see Section 7 for the experimental evaluation and bench- 
mark against the GOAL tool [34], 

^-lookahead simulation can also be expressed as a restriction 
of n-pebble simulation, where Duplicator is allowed to split peb- 
bles maximally (thus n-pebbles), but after a number m< k rounds 
(where m is chosen dynamically by Duplicator) she has to discard 
all but one pebble. Then, Duplicator is allowed to split pebbles 
maximally again, etc. Thus, fc-lookahead simulation is contained 
in n-pebble simulation, though it is generally incomparable with 
fc-pebble simulation. 

Direct, delayed, fair and backward ^-lookahead simulation have 
a fixed-point characterization expressible in ,u-calculus (cf. Ap- 
pendix C), which can be useful for a symbolic implementation. 
However, our current algorithm computes them with an explicit- 
state representation. 

5. Automata Minimization 

We minimize automata by transition pruning and quotienting. 
While trace inclusions would be an ideal basis for such techniques, 
they (i.e., their membership problems) are PSPACE-complete. In- 
stead, we use lookahead simulations as efficiently computable 
under-approximations; in particular, we use 

• -<*" dl in place of direct trace inclusion C dl (which is GFQ [12]). 

• X t_cle in place of n-pebble delayed simulation (GFQ [12]). 

• X*~ f in place of fair trace inclusion C f (which is GFI). 

• X^ bw in place of backward trace inclusion C bw (which is GFQ 
by Theorem 2.4). 

For pruning, we apply the results of Section 3 and the substitutions 
above to obtain the following GFP relations: 

p(id, ^ k - dl ),p(^ k - bw ,id),p{n bvj , rf di ),p(r<*- bw , c di ),tf,H*- f ) 

For quotienting, we employ delayed -<*" de and backward -<*- bw k- 
lookahead simulations (which are GFQ). Below, we describe two 
possible ways to combine our simplification techniques: Heavy-k 
and Light-k (which are parameterized by the lookahead value k). 



Heavy-k. We advocate the following minimization procedure, 
which repeatedly applies all the techniques described in this paper 
until a fixpoint is reached: 1) Remove dead states. 2) Prune transi- 
tions w.r.t. the GFP relations above (using lookahead k). 3) Quo- 
tient w.r.t. -<*- de and ^*" bw . The resulting simplified automaton 
cannot be further reduced by any of these techniques. In this sense, 
it is a local minimum in the space of automata. Applying the tech- 
niques in a different order might produce a different local mini- 
mum, and, in general, there does not exist an optimal order that 
works best in every instance. In practice, the order is determined 
by efficiency considerations and easily computable operations are 
used first [1,2]. 

Remark While quotienting with ordinary simulation is idempo- 
tent, in general this is not true for lookahead simulations, because 
these relations are not preserved under quotienting (unlike ordi- 
nary simulation). Moreover, quotienting w.r.t. forward simulations 
does not preserve backward simulations, and vice- versa. Our exper- 
iments showed that repeatedly and alternatingly quotienting w.r.t. 
< k - de and < k ' bvj (in addition to our pruning techniques) yields the 
best minimization effect. 

The Heavy-fe procedure strictly subsumes all simulation-based 
automata minimization methods described in the literature (remov- 
ing dead states, quotienting, pruning of 'little brother' transitions, 
mediated preorder), except for the following two: 1) The/a;> simu- 
lation minimization of [19] works by tentatively merging fair sim- 
ulation equivalent states and then checking if this operation pre- 
served the language. (In general, fair simulation is not GFQ.) It 
subsumes quotienting with C de (but not -<*- de ) and is implemented 
in GOAL [34]. We benchmarked our methods against it and found 
Heavy-fe to be much better in both effect and efficiency; cf Sec- 
tion 7. 2) The GFQ jumping-safe preorders of [8, 9] are incompa- 
rable to the techniques described in this paper. If applied in addition 
to Heavy-fc, they yield a very modest extra minimization effect. 

Light-k. This procedure is defined purely for comparison reasons. 
It demonstrates the effect of the lookahead k in a single quotienting 
operation and works as follows: Remove all dead states and then 
quotient w.r.t. ^, k ' de . Although Light-£ achieves much less than 
Heavy-fc, it is not necessarily faster. This is because it uses the more 
expensive to compute relation X tde directly, while Heavy-£ applies 
other cheaper (pruning) operations first and only then computes 
^ de on the resulting smaller automaton. 

6. Language Inclusion Checking 

The language inclusion problem ft C 2? is PSPACE-complete [25]. 
It can be solved via complementation of H [3 1 , 34] and, more ef- 
ficiently, by rank-based ([17] and references therein) or Ramsey- 
based methods [3, 4, 15, 16], or variants of Piterman's construc- 
tion [29, 34]. Since these all have exponential time complexity, it 
helps significantly to first minimize the automata in a preprocessing 
step. Better minimization techniques, as described in the previous 
sections, make it possible to solve significantly larger instances. 
However, our simulation-based techniques can not only be used 
in preprocessing, but actually solve most instances of the inclu- 
sion problem directly. This is significant, because simulation scales 
polynomially (quadratic average-case complexity; cf. Section 7). 

6.1 Inclusion-preserving minimization 

Inclusion checking algorithms generally benefit from language- 
preserving minimization preprocessing (cf. Sec. 5). However, pre- 
serving the languages of ft and 2? in the preprocessing is not ac- 
tually necessary. A preprocessing on ft,H is said to be inclusion- 
preserving iff it produces automata ft! , %' s.t. ft C 15 •<=>■ ft! C 2?' 
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(regardless of whether A ks A' or 2? sa 2?')- In the following, we 
consider two inclusion-preserving preprocessing steps. 

Simplify A. In theory, the problem A C 2? is only hard in 2?, 
but polynomial in the size of A. However, this is only relevant 
if one actually constructs the exponential-size complement of 2?, 
which is of course to be avoided. For polynomial simulation-based 
algorithms it is crucial to also minimize A. The idea is to remove 
transitions in A which are 'covered' by better transitions in 2?. 

Definition Given * = (£, Q M , I A , F A , S A ) , 2S = (£, Q m , I m , F% , 8 S ) , 
let P C 8jj x 8$ be a relation for comparing transitions in A and IB. 
The pruned version of A is Prune(A,'B,P) := (E,Qsi,Isi,Fji,8f) 
with 5' = {(p,o,r) e 5* | 2(//,oV) e &„.(/>, a, r)P(//,oV)}. 

J? C ® implies Prune(A,<B,P) C 25 (since PruneiA,® ,P) C j?). 
When also the other direction holds (so pruning is inclusion- 
preserving), we say that P is good for A,(B-pruning, i.e., when 
J? C 2? <£==> Prune(A,1l,P) C 2?. Intuitively, pruning is cor- 
rect when the removed edges do not allow J? to accept any word 
which is not already accepted by 2?. In other words, if there is 
a counter example to inclusion in A, then it can even be found 
in Prune(A,'B,P). As in Sec. 3, we compare transitions by look- 
ing at their endpoints: For state relations Rt,Rf x Q<b, let 
P(R b ,R f ) = {((p,o,r),(y,o,/)) | pR b p' A rR f t>}. 

Since inclusion-preserving pruning does not have to respect 
the language, we can use much weaker (i.e., coarser) relations 
for comparing endpoints. Let C bw ~ be the variant of C bw where 
accepting states are not taken into consideration. 

Theorem 6.1. p(C bw - , C f ) is good for A, <B-pruning. 

Proof. Let P = />(c bw ~ , C f ). One direction is trivial. For the other 
direction, by contraposition, assume Prune(A, H,P) C 2?, but A % 
2?. There exists awe £(A) s.t. w £ HfB). There exists an initial 

fair trace n = qo -°^> q\ • • • on w in A. There are two cases. 

1. 71 does not contain any transition q; qi + \ that is not present 
in Prune(A, (B,P). Then TC is also an initial fair trace on w in 
Prune(A, , S,P), and thus we obtain w e L(Prune(A, 2J,P)) and 
w e L(f$). Contradiction. 

2. 7t contains a transition qi q- l+ \ that is not present in 
Prune(A, 2?,P). Therefore there exists a transition q'j q' i+l 
in 2? s.t. qt C bw ~ q' { and # (+ ] C f Thus there exists an initial 
fair trace on w in 2? and thus w e L(fS). Contradiction. □ 

We can approximate C bw ~ with (the transitive closure of) a cor- 
responding £-lookahead simulation c*~ bw ~, which is defined as 
C*" bw , except that only initial states are considered, i.e., the win- 
ning condition is C bw ~(jr ,TCi) V(f > 0) • pi e / => qi e /. 
Let X tbw - be the transitive closure of C* bw -. Since GFP is C- 
downward closed and P(-, •) is monotone, we get this corollary. 

Corollary 6.2. _p(x* bw - , X* f ) « good for A, 'S-pruning. 

Simplify 2?. Let Ax (Bbe the synchronized product of and r B. 
The idea is to remove states in 2i which cannot be reached mAx'B. 
Let R be the set of states in Ax 2? reachable from 1% x 1%, and let 
X Q 2s t> e me projection of R to the 2?-component. We obtain 25' 
from 2? by removing all states ^ X and their associated transitions. 
Although 2?' 9^ 2?, this operation is clearly inclusion-preserving. 

6.2 Jumping fair simulation as a better GFI relation 

We further generalize the GFI preorder by allowing Dupli- 
cator even more freedom. The idea is to allow Duplicator to take 
jumps during the simulation game (in the spirit of [9]). For a pre- 
order < on Q, in the game for <-jumping k-lookahead simulation 



Duplicator is allowed to jump to <-larger states before taking a 
transition. Thus, a Duplicator's move is of the form qi < q' t — 

<?;+l < q' i+l • • • c i±^' q i+m , and she eventually builds an infi- 
nite < -jumping trace. We say that this trace is accepting at step ( iff 
3q" £ F. qt < q" < q\, laid fair iff it is accepting infinitely often. As 
usual, <-jumping k-lookahead fair simulation holds iff Duplicator 
wins the corresponding game, with the fair winning condition lifted 
to jumping traces. 

Not all preorders < induce GFI jumping simulations. The pre- 
order < is called jumping-safe [9] if, for every word w, there exists 
a < -jumping initial fair trace on w iff there exists an initial fair non- 
jumping one. Thus, jumping-safe preorders allows to convert jump- 
ing traces into non-jumping ones. Consequently, for a jumping-safe 
preorder <, < -jumping £-lookahead fair simulation is GFI. 

One can prove that C bw is jumping-safe, while C bw ~ is not. 
We even improve C bw to a slightly more general jumping-safe 
relation c bw c , by only requiring that Duplicator visits at least as 
many accepting states as Spoiler does, but not necessarily at the 
same time. Formally, p m C bw ~ c q m iff, for every initial w-trace 
Jto = pa — > p\ — > ■■■ — > p m , there exists an initial w-trace 
Jtl = qo 41 qm, s.t. \{i\pt eF}\ < \{i\qi€F}\. 

Theorem 6.3. The preorder C bw ~ c is jumping-safe. 



Proof. Since c bw_c is reflexive, the existence of an initial fair trace 
on w directly implies the existence of a C bw " c -jumping initial fair 
trace on w. 

Now, we show the reverse implication. Given two initial c bw ~ c - 
jumping traces on w %q = po C bw " c p' Q -°^> p x c bw ~ c p' y -^h ■ ■ ■ and 
Jt! = q C bw c q' -% qi C bw c q[ A- ••• we define q(jt ,7Ci) 

iff \{i < j\3 P 'l e F.pi c b »- p<< c b - c p^i < \{i < j\3 q >> e 

F. qi C bw ' c q'[ C bw " c We say that an initial C bw ' c -jumping 
trace on w is i-good iff it does not jump within the first ( steps. 

We show, by induction on i, the following property (P): For 
every ( and every infinite C bw " c -jumping initial trace Jt = po C bw " c 
p' Q — % p\ C bw ~ c p'j • • • on w there exists an initial ;'-good trace 

it' = qo — ^ q\ — qi-- - on w s.t. Cf (tc, TC') and the suffixes 

of the traces are identical, i.e., qt = pi and 7t[i..] = Jt'[f..]. 

For the case base i = we take 71° = it. Now we consider the 
induction step. By induction hypothesis we get an initial ;-good 
trace Jt' s.t. Cf (TC,7t') and qt = pi and n[i..] = %'[i..]. If tc ! is (i+ 1)- 
good then we can take Jt' +1 = it'. Otherwise, n' contains a step 
?iC bw - c 9 ;. A-ft+i. First we consider the case where there exists 
aq'l' EF s.t. qi C bvj ~ c q'[ C bw ' c (Note that the i-th step in Jt' 
can count as accepting in C c because q'[ G F, even if qi and q\ are 
not accepting.) By def. of C bw " c there exists an initial trace 7t" on a 
prefix of w that ends in q" and visits accepting states at least as often 
as the non-jumping prefix of n' that ends in qi. Again by definition 
of c bw " c there exists an initial trace 7t' on a prefix of w that ends 
in q'j and visits accepting states at least as often as n" . Thus ji' 
visits accepting states at least as often as the jumping prefix of 7C 1 
that ends in q[ (by the definition of C c ). By composing the traces 

we get TC i+1 = 7l'(#J q i+ i)%'[i+ 1..]. Thus 7C i+1 is an (/+ 1)- 
good initial trace on w and n[i+ 1..] = Jt'[i+ L-] = [i+ L-] and 
Cf +l (jz',K l+1 ) and 1 (jt,7t' +1 ). The other case where there is no 
41 € F s.t. qi C bw c q 1 ! C bw c ^ is similar, but simpler. 

Let TC be an initial C bw c -jumping fair trace on w. By property 
(P) and Konig's Lemma there exists an infinite initial non-jumping 
fair trace tc' on w. Thus C bw ~ c is jumping-safe. □ 
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As a direct consequence, C bw " c -jumping fc-lookahead fair simula- 
tion is GFI. Since c bw c is difficult to compute, we approximate 
it by a corresponding lookahead-simulation c* _bw ~ c which, in the 
same spirit, counts and compares the number of visits to accept- 
ing states in every round of the fc-lookahead backward simulation 
game. Let -< k - bw ' c be the transitive closure of \z k ' bvj ' c . 

Corollary 6.4. ^. k ~ bw ~ c -jumping k-lookahead fair sim. is GFI. 

6.3 Advanced inclusion checking algorithm 

Given these techniques, we propose the following algorithm for 
inclusion checking SI C 2?. 

(1) Use the Heavy-fc procedure to minimize SI and 2?, and ad- 
ditionally apply the inclusion-preserving minimization tech- 
niques from Sec. 6. Lookahead simulations are computed not 
only on S\ and 2i, but also between them (i.e., on their disjoint 
union). Since they are GFI, we check whether they already wit- 
ness inclusion. Since many simulations are computed between 
partly minimized versions of S\ and 2?, this witnesses inclu- 
sion much more often than checking fair simulation between 
the original versions. This step either stops showing inclusion, 
or produces smaller inclusion-equivalent automata SI 1 ,2?' '. 

(2) Check the GFI ^N*" bw " c -jumping ^-lookahead fair simulation 
from Sec. 6.2 between Si' and 2?' , and stop if the answer is yes. 

(3) If inclusion was not established in steps (1) or (2) then try 
to find a counterexample to inclusion. This is best done by a 
Ramsey-based method (optionally using simulation-based sub- 
sumption techniques), e.g., [1, 4]. Use a small timeout value, 
since in most non-included instances there exists a very short 
counterexample. Stop if a counterexample is found. 

(4) If steps (l)-(3) failed (rare in practice), use any complete 
method, (e.g., Rank-based, Ramsey-based or Piterman's con- 
struction) to check Si' C 2?'. At least, it will benefit from work- 
ing on the smaller instance Si' , 2?' produced by step (1). 

Note that steps (l)-(3) take polynomial time, while step (4) takes 
exponential time. (For the latter, we recommend the improved 
Ramsey method of [1, 4] and the on-the-fly variant of Piterman's 
construction [29] implemented in GOAL [34].) This algorithm 
allows to solve much larger instances of the inclusion problem 
than previous methods [3, 4, 15-17, 29, 31, 34], i.e., automata with 
1000-20000 states instead of 10-100 states; cf. Section 7. 

7. Experiments 

We test the effectiveness of Heavy-k minimization on Tabakov- 
Vardi random automata [33], on automata derived from LTL for- 
mulae, and on automata derived from mutual exclusion protocols, 
and compare it to the best previously available techniques imple- 
mented in GOAL [34]. A scalability test shows that Heavy-k has 
quadratic average-case complexity and it is vastly more efficient 
than GOAL. Furthermore, we test our methods for language inclu- 
sion on large instances and compare their performance to previous 
techniques. Due to space limitations, we only give a summary of 
the results, but all details and the runnable tools are available [2]. 
Unless otherwise stated, the experiments were run with Java 6 on 
Intel Xeon X5550 2.67GHz and 14GB memory. 

Random automata. The Tabakov-Vardi model [33] generates 
random automata according to the following parameters: the num- 
ber of states n, the size of the alphabet |E|, the transition density 
td (number of transitions, relative to n and |E|) and the acceptance 
density ad (percentage of accepting states). Apart from this, they 
do not have any special structure, and thus minimization and lan- 
guage inclusion problem are harder for them than for automata 



from other sources (see below). Random automata provide general 
reproducible test cases, on average. Moreover, they are the only 
test cases that are guaranteed to be unbiased towards any particular 
method. Thus, it is a particular sign of quality if a method performs 
well even on these hard cases. 

The inherent difficulty of the minimization problem, and thus 
also the effectiveness of minimization methods, depends strongly 
on the class of random automata, i.e., on the parameters listed 
above. Thus, one needs to compare the methods over the whole 
range, not just for one example. Variations in ad do not affect 
Heavy-k much (cf . Appendix A. 1 ), but very small values make min- 
imization harder for the other methods. By far the most important 
parameter is td. The following figure shows typical results. We take 
n = 100, |E| = 2, ad = 0.5 and the range of td = 1.0, 1.1, . . . , 3.0. 
For each td we created 300 random automata, minimized them 
with different methods, and plotted the resulting average number of 
states after minimization. Each curve represents a different method: 
RD (just remove dead states), Light-1, Light-12, Heavy-1, and 
Heavy- 12 and GOAL. The GOAL curve shows the best effort of 
all previous techniques (as implemented in GOAL), which include 
RD, quotienting with backward and forward simulation, pruning 
of little brother transitions and the fair simulation minimization of 
[19] (which subsumes quotienting with delayed simulation). 




Transition density 

Sparse automata with low td have more dead states. For td < 1 .4 no 
technique except RD has any significant effect. GOAL minimizes 
just slightly worse than Heavy- 1 but it is no match for our best tech- 
niques. Heavy- 12 vastly outperforms all others, particularly in the 
interesting range between 1.4 and 2.5. Moreover, the minimization 
of GOAL (in particular the fair simulation minimization of [19]) is 
very slow. For GOAL, the average minimization time per automa- 
ton varies between 39s (at td=\ .0) and 612s (maximal at td = 2.9). 
In contrast, for Heavy- 12, the average minimization time per au- 
tomaton varies between 0.012s (at td = 1.0) and 1.482s (max. at 
td — 1.7). So Heavy- 12 minimizes not only much better, but also at 
least 400 times faster than GOAL (see also the scalability test). 

For td > 2.0, Heavy-12 yields very small automata. Many of 
these are even universal, i.e., with just one state and a univer- 
sal loop. However, this frequent universality is not due to triv- 
ial reasons (otherwise simpler techniques like Light- 1 and GOAL 
would also recognize this). Consider the following question: Given 
Tabakov-Vardi random automata with parameters n, |E| and td, 
what is the probability U (n,\L\,td) that every state has at least 
one outgoing transition for every symbol in E? (Such an automaton 
would be trivially universal if ad = 1.) 

Theorem 7.1. U(n, |E| , td) = (cc(n, r)/jS(n, r))l E l, with T = n-td, 
a(«^) = lt„( B r ! ::)lLo(-l)''(-)( ffl ;iV 1 ) and$(n,T) = (i) 

Proof. For each symbol in E there are T = n- td transitions and 
n 2 possible places for transitions, described as a grid. a(n,T) is 
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the number of ways T items can be placed onto an n x n grid 
s.t. every row contains > 1 item, i.e., every state has an outgo- 
ing transition. (3(n,r) is the number of possibilities without this 
restriction, which is trivially (%). Since the Tabakov-Vardi model 
chooses transitions for different symbols independently, we have 
U(n,\Z\,td) = (a(n,r)/P(n,r))l E L It remains to compute a(n,T). 
For the i'-fh row let xj £ { 1 , . . . , «} be the maximal column contain- 
ing an item. The remaining T — n items can only be distributed to 
lower columns. Thus a(n,T) = Ya, x„ { ■pin")' With m = Y, x i 
and a standard dice-sum problem from [28] the result follows. □ 



n=100, td=1.8, ad=0.9 




- Fair 

- Delayed 
Direct 

- Backward 



10 11 12 



For n = 100, |E| = 2 we obtain the following values for U (n, |Z| , td) : 
IQ- 15 for td = 2.0, 2.9 • 10~ 5 for td = 3.0, 0.03 for td = 4.0, 0.3 for 
td = 5.0, 0.67 for td = 6.0, and 0.95 for td = 8.0. So this transition 
saturation effect is negligible in our tested range with td < 3.0. 

While Heavy- 12 performs very well, an even smaller lookahead 
can already be sufficient for a good minimization. However, this 
depends very much on the density td of the automata. The following 
chart shows the effect of the lookahead by comparing Heavy-k for 
varying k on different classes of random automata with different 
density td = 1.6, 1.7, 1.8, 1.9,2.0. We have n = 100, |£| = 2 and 
ad — 0.5, and every point is the average of 1000 automata. 



The effect of lookahead: Heavy k for k=l 12 




The big advantage of Heavy- 12 over Light- 12 is due to the prun- 
ing techniques. However, these only reach their full potential at 
higher lookaheads (thus the smaller difference between Heavy- 1 
and Light- 1). Indeed, the simulation relations get much denser with 
higher lookahead k. We consider random automata with n = 100, 
|£| = 2 and td = 1.8 (a nontrivial case; larger td yield larger simu- 
lations). We let ad = 0.1 (resp. ad = 0.9), and plot the size of fair, 
delayed, direct, and backward simulation as k increases from 1 to 
12. Every point is the average of 1000 automata. 



n=100. td=1.8, ad=0.1 




0^ 1 1 1 1 1 1 1 1 1 1 

123456789 10 11 12 
Lookahead 



Fair/delayed simulation is not much larger than direct simulation 
for k = 1, but they benefit strongly from higher k. Backward sim- 
ulation increases only slightly (e.g., from 365 to 381 pairs for 
ad = 0.9). Initially, it seems as if backward/direct simulation does 
not benefit from higher k if ad is small (on random automata), 
but this is wrong. Even random automata get less random during 
the Heavy-k minimization process, making lookahead more effec- 
tive for backward/direct simulation. Consider the case of n = 300, 
td= 1.8 and ad = 0.1. Initially, the average ratio | -< 12 " di |/| ^ 1_di | 
is 1.00036, but after quotienting with X 12 de this ratio is 1.103. 

LTL. For model checking [22], LTL-formulae are converted into 
Biichi automata. This conversion has been extensively studied and 
there are many different algorithms which try to construct the 
smallest possible automaton for a given formula (see references 
in [34]). It should be noted however, that LTL is designed for hu- 
man readability and does not cover the full class of co-regular lan- 
guages. Moreover, Biichi Store [35] contains handcrafted automata 
for almost every human-readable LTL-formula and none of these 
automata has more than 7 states. Still, since many people are inter- 
ested in LTL to automata conversion, we tested how much our min- 
imization algorithm can improve upon the best effort of previous 
techniques. For LTL model checking, the size of the automata is not 
the only criterion [30], since more non-determinism also makes the 
problem harder. However, our transition pruning techniques only 
make an automaton 'more deterministic'. 

Using a function of GOAL, we created 300 random LTL- 
formulae of nontrivial size: length 70, 4 predicates and probability 
weights 1 for boolean and 2 for future operators. We then con- 
verted these formulae to Biichi automata and minimized them with 
GOAL. Of the 14 different converters implemented in GOAL we 
chose LTL2BA [18] (which is also used by the SPIN model checker 
[22]), since it was the only one which could handle such large for- 
mulae. (The second best was COUVREUR which succeeded on 
90% of the instances, but produced much larger automata than 
LTL2BA. The other converters ran out of time (4h) or memory 
(14GB) on most instances.) We thus obtained 300 automata and 
minimized them with GOAL. The resulting automata vary signifi- 
cantly in size from 1 state to 1722 states [2]. 

Then we tested how much further these automata could be 
reduced in size by our Heavy- 12 method (cf. Appendix A.2). 
In summary, 82% of the automata could be further reduced in 
size. The average number of states declined from 138 to 78, 
and the average number of transitions from 3102 to 1270. Since 
larger automata have a disproportionate effect on averages, we 
also computed the average reduction ratio per automaton, i.e., 
( 1/300) Y^\ ne wsizei/ oldsizei. (Note the difference between the 
average ratio and the ratio of averages.) The average ratio was 0.76 
for states and 0.68 for transitions. The computation times for mini- 
mization vary a lot due to different automata sizes (average 122s), 
but were always less than the time used by the LTL to automata 
translation. If one only considers the 150 automata above median 
size (30 states) then the results are even stronger. 100% of these 
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automata could be further reduced in size. The average number of 
states declined from 267 to 149, and the average number of transi- 
tions from 6068 to 2435. The average reduction ratio was 0.65 for 
states and 0.54 for transitions. To conclude, our minimization can 
significantly improve the quality of LTL to automata translation 
with a moderate overhead. 



Mutual exclusion protocols. We consider automata derived from 
mutual exclusion protocols. The protocols were described in a 
language of guarded commands and automatically translated into 
Biichi automata, whose size is given in the column 'Original'. By 
row, the protocols are Bakery. 1, Bakery.2, Fischer.3.1, Fischer.3.2, 
Fischer.2, Phils. 1.1, Phils. 2 and Mcs.1.2. We minimize these au- 
tomata with GOAL and with our Heavy- 12 method and describe 
the sizes of the resulting automata and the runtime in subsequent 
columns (Java 6 on Intel i7-740, 1.73 GHz). In some instances 
GOAL ran out of time (2h) or memory (14GB). 
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Scalability. We test the scalability of Heavy- 12 minimization 
by applying it to Tabakov-Vardi random automata of increas- 
ing size but fixed td, ad and E. We ran four separate tests with 
td = 1.4,1.6, 1.8 and 2.0. In each test we fixed ad = 0.5, |E| = 2 
and increased the number of states from n = 50 to n = 1000 in 
increments of 50. For each parameter point we created 300 random 
automata and minimized them with Heavy- 12. We analyze the av- 
erage size of the minimized automata in percent of the original size 
n, and how the average computation time increases with n. 

For td = 1.4 the average size of the minimized automata stays 
around 77% of the original size, regardless of n. For td = 1.6 it 
stays around 65%. For td = 1.8 it decreases from 28% at n = 50 
to 2% at n = 1000. For td = 2.0 it decreases from 8% at n = 50 
to < 1% at n = 1000 (cf. Appendix A.2). Note that the lookahead 
of 12 did not change with n. Surprisingly, larger automata do not 
require larger lookahead for a good minimization. 

We plot the average computation time (measured in ms) in n 
and then compute the optimal fit of the function time = a*n b to 
the data by the least-squares method, i.e., this computes the pa- 
rameters a and b of the function that most closely fits the experi- 
mental data. The important parameter is the exponent b. For td = 
1.4,1.6,1.8,2.0 we obtain 0.018*rc 214 , 0.32*)i 239 , 0.087*n 205 
and 0.055 * /t 2 - 09 , respectively. Thus, the average-case complexity 
of Heavy- 12 scales (almost) quadratically. This is especially sur- 
prising given that Heavy- 12 does not only compute one simula- 
tion relation but potentially many simulations until the repeated 
minimization reaches a fixpoint. Quadratic complexity is the very 
best one can hope for in any method that explicitly compares 
states/transitions by simulation relations, since the relations them- 
selves are of quadratic size. Lower complexity is only possible with 
pure partition refinement techniques (e.g., bisimulation, which is 
O(nlogn)), but these achieve even less minimization than quotient- 
ing with direct simulation (i.e., next to nothing on hard instances). 
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The computation time of Heavy-k depends on the class of au- 
tomata, i.e., on the density td, as the scalability test above shows. 
Moreover, it also depends on k. The following graph shows the av- 
erage computation time of Heavy-k on automata of size 100 and 
varying td and k. The most difficult cases are those where min- 
imization is possible (and thus the alg. does not give up quickly), 
but does not massively reduce the size of the instance. For Heavy-k, 
this peak is around td = 1.6, 1.7 (like in the scalability test). 

computation time for minimization with Heavy-k 

n=100, alphabet size=2, ad=0.S, 
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Language Inclusion Checking. We test the language inclusion 
checking algorithm of Section 6.3 (with lookahead up-to 15) on 
nontrivial instances and compare its performance to previous tech- 
niques like ordinary fair simulation checking and the best effort of 
GOAL (which uses simulation-based minimization followed by an 
on-the-fiy variant of Piterman's construction [29, 34]). In this test 
we use only the polynomial time steps (l)-(3) of our algorithm, thus 
it may fail in some instances. We consider pairs of Tabakov-Vardi 
random automata with 1000 states each, |E| = 2 and ad = 0.5. For 
each separate case of td = 1.6, 1.8 and 2.0, we create 300 such au- 
tomata pairs and check if language inclusion holds. (For td < 1.6 
inclusion rarely holds, except trivially if one automaton has empty 
language. For td > 2 inclusion often holds but is easier to prove.) 

For td = 1.6 our algorithm solved 294 of 300 instances (i.e., 
98%): 45 included (16 in step (1) and 29 in step (2)), 249 non- 
included (step (3)), and 6 failed. Average computation time 1 167s. 
Ordinary fair simulation solved only 13 included instances. GOAL 
(timeout 60min, 14GB memory) solved only 13 included instances 
(the same 13 as fair simulation) and 155 non-included instances. 

For td = 1.8 our algorithm solved 297 of 300 instances (i.e., 
99%): 104 included (103 in step (1) and 1 in step (2)) and 193 non- 
included (step (3)) and 3 failed. Average computation time 452s. 
Ordinary fair simulation solved only 5 included instances. GOAL 
(timeout 30min, 14GB memory) solved only 5 included instances 
(the same 5 as fair simulation) and 1 15 non-included instances. 

For td = 2.0 our algorithm solved every instance: 143 included 
(shown in step (1)) and 157 non-included (step (3)). Average com- 



11 



2012/10/25 



putation time 258s. Ordinary fair simulation solved only 1 of the 
143 included instances. GOAL (timeout 30min, 14GB memory) 
solved only 1 of 143 included instances (the same one as fair sim- 
ulation) and 106 of 157 non-included instances. 

8. Conclusion and Future Work 

Our automata minimization techniques perform significantly better 
than previous methods. In particular, they can be applied to solve 
PSPACE-complete automata problems like language inclusion for 
much larger instances. While we presented our methods in the con- 
text of Biichi automata, most of them trivially carry over to the 
simpler case of automata over finite words. Future work includes 
more efficient algorithms for computing lookahead simulations, ei- 
ther along the lines of [20] for normal simulation, or by using sym- 
bolic representations of the relations. Moreover, we are applying 
similar techniques to minimize tree-automata. 
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A. Additional Experiments 

This appendix contains additional material related to experiments 
with our minimization algorithm (cf. Section 7). 

A.l The Effect of the Acceptance Density 

Figure 3 shows the performance of our minimization algorithm 
on random automata with acceptance density 0.5 and 0.1, respec- 
tively. Clearly, variations in the acceptance density do not affect our 
methods with lookahead (e.g., Light-12 and Heavy-12) very much. 
However, a small acceptance density like 0.1 makes the problem 
somewhat harder for methods without lookahead (e.g., Light-1 and 
Heavy- 1). 

Minimization of Tabakov-Vardi Random Automata 

Alphabet size 2, Acceptance density 0.5 
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Minimization of Tabakov-Vardi Random Automata 

Alphabet size 2, Acceptance density 0.1 
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Transition density 



Figure 3. Minimization of Tabakov-Vardi random automata with 
n = 100, |Z| — 2, ad = 0.5 (top), ad = 0.1 (bottom) and varying 
td. We use the Light 1, Light 12, Heavy 1 and Heavy 12 methods 
and plot the average number of states of the minimized automata. 
Every point in the top (resp. bottom) graph the average of 1000 
(resp. 300) automata. Note how a small acceptance density makes 
minimization harder without lookahead, but not much harder for 
lookahead 12. 
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A.2 Scalability 

In this section we present the complete data for our scalability 
experiments. We tested our Heavy- 12 minimization algorithm on 
random automata of increasing size but fixed td, ad and S. In 
Figure 4 we show the reduction in size, while in Figure 5 we show 
the computation time (for the same set of experiments). 



Scalability of Heavy-12 Minimization 
Average size of minimized automata in % of original 




B 100 200 300 400 500 600 700 800 900 1000 
uj Number of srares of original automaton (ad=0.5, separate curves for different td) 



Figure 4. Minimization of Tabakov-Vardi random automata with 
ad = 0.5, \Z\ = 2, and increasing n = 50, 100, . . . , 1000. Different 
curves for different td. We plot the average size of the Heavy-12 
minimized automata, in percent of their original size. Every point 
is the average of 300 automata. Note that the lookahead of 12 does 
not change, i.e., larger automata do not require a higher lookahead 
for a good minimization. 




a.b 




Figure 6. Lookahead simulation is not transitive. 



B. Non- transitivity of Lookahead Simulation 

In this section we show that lookahead simulation is not transitive 
for k > 2. Consider the example in Figure 6. We have po E^ ?0 E* 
rn (and k = 2 suffices), but po £t k rn for any k > 0. In fact, 

• po E* go, with k = 2: Duplicator takes the transition via q\ or qi 
depending on whether Spoiler plays word (a + b)a or (a + b)b, 
respectively. 

• 10 E* r 0, with k = 2: If Spoiler goes to q\ or ^2, then Duplicator 
goes to r\ or ri, respectively. That q\ O k r\ holds can be 
shown as follows (the case qi ri is similar). If Spoiler 
takes transitions q\ qo —t q\ , then Duplicator does r\ — — > 
r\ r\ , and if Spoiler does q\ — "-^ q^ — q\ , then Duplicator 
does r\ r2 r\ ■ The other cases are similar. 

• Po 2^ r 0> for any k > 0. From ro, Duplicator can play a trace for 
any word w of length k > 0, but in order to extend it to a trace of 
length k + 1 for any w' = wa or wb, she needs to know whether 
the last (k+ l)-th symbol is a or b. Thus, no finite lookahead 
suffices for Duplicator. 

Incidentally, notice that ro simulates po with ^-continuous simula- 
tion, and k = 2 suffices. 

As shown in Section 4, non-transitivity of lookahead simula- 
tion is not an obstacle to its applications. Since it is only used to 
compute good under-approximations of certain preorders, one can 
simply consider its transitive closure (which is easily computed). 



Figure 5. Minimization of Tabakov-Vardi random automata as in 
Figure 4. Here we plot the average computation time (in ms) for the 
minimization, and a least-squares fit by the function a*n b . For td = 
1.4,1.6,1.8,2.0 we obtain 0.018*n 214 , 0.32 * n 239 , 0.087*n 205 
and 0.055 * n 2 09 , respectively. 
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C. Fixpoint Logic Characterization of 
Lookahead Simulation 

In this section we give a fixpoint logic characterization of looka- 
head simulation, using the modal /j-calculus. Basically it follows 
from the following preservation property enjoyed by lookahead 
simulation: Let x 6 {di, de, f , bw} and k > 0. When Duplicator plays 
according to a winning strategy, in any configuration (p,,qi) of the 
resulting play, p,- O k ' x q { . Thus, ^-lookahead simulation (without 
acceptance condition) can be characterized as the largest X Cgx Q 
which is closed under a certain monotone predecessor operator. For 
convenience, we take the point of view of Spoiler, and compute the 
complement relation W x = (Q x Q)\ \Z. k ~ x instead. This is partic- 
ularly useful for delayed simulation, since we can avoid recording 
the obligation bit (see [14]) by using the technique of [24]. 

Direct and backward simulation. Consider the following prede- 
cessor operator CPre dl (X), for any set X C Q x Q: 

CPre d '(X) = {(p Q ,q Q ) I 3(P0 ^Pl ^ ■ - ^4 Pk ) 

V(<?o -^#1 ••• <Im),0 <m<k, 
either 3(0 < j < m) ■ pj <E F and qj £ F, 
or (p m ,qm)^X} 

Intuitively, (p,q) £ CPre dl (X) iff, from position (p,q), in one 
round of the game Spoiler can either force the game in X, or violate 
the winning condition for direct simulation. For backward simula- 
tion, CPre bw (X) is defined analogously, except that transitions are 
reversed and also initial states are taken into account: 

CPre bw (X) = {(po,q ) | 3(po^Pl ^--^-Pk) 

V(go qi ■■■ ^ 9m), < m < k, 
either 3(0 < j < m) ■ pj £ F and qj g F, 
or 3(0 < j < m) ■ pj e I and qj g I, 
or (p m ,q m )eX} 

Remark The definition of CPre x (X) requires that the automaton 
has no deadlocks; otherwise, Spoiler would incorrectly lose if she 
can only perform at most k! < k transitions. We assumed that 
the automaton is complete to keep the definition simple, but our 
implementation works with general automata. 

Intuitively, the generalization to incomplete automata works as 
follows. If Spoiler's move reaches a deadlocked state after k' steps, 
where 1 < k! < k then Spoiler does not immediately lose. Instead 
Duplicator needs to reply to this move of length k! . In other words, 
if Spoiler's move ends in a deadlocked state then the lookahead 
requirements are weakened, because one simply cannot demand 
any more steps from Spoiler. 

For X = 0, CPre^X) is the set of states from which Spoiler wins 
in at most one step. Thus, Spoiler wins iff she can eventually reach 
CPre*(0). Formally, for* e {di.bw}, 

W x =/uW-CPre x (W) 

Delayed and fair simulation. We introduce a more elaborate 
three-arguments predecessor operator CPre(X, Y,Z). Intuitively, 
a configuration belongs to CPre(X,Y,Z) iff Spoiler can make a 
move s.t., for any Duplicator's reply, at least one of the following 
conditions holds: 

1. Spoiler visits an accepting state, while Duplicator never does 
so; then, the game goes to X. 

2. Duplicator never visits an accepting state; the game goes to Y. 

3. The game goes to Z (without any further condition). 



CPre(X,Y,Z) = {(p ,q ) | 3( P0 px ^ •• • ^4 p k ) 

V( 90 ^?l^---^4?m) •V(0<m<fc)- 
either 3(0 < i < m) ■ p; € F, V(0 < j < m) ■ qj F, (p m ,q m ) £ X 
or V{0<j<m)-qjgF,(j> m ,q m )eY 
or (p m ,q m )eZ} 

For fair simulation, Spoiler wins iff, except for finitely many 
rounds, she visits accepting states infinitely often while Duplicator 
does not visit any accepting state at all. Thus, 

W f = nZ ■ vX ■ /jY ■ CPre(X, Y,Z) 

For delayed simulation, Spoiler wins if, after finitely many 
rounds, the following conditions are both satisfied: 1) She can visit 
an accepting state, and 2) She can prevent Duplicator from visiting 
accepting states in the future. For condition 1), let CPre 1 (X,y) := 
CPre(X, Y,Y), and, for 2), CPre 2 (X,Y) := CPre(X,X,Y). Then, 

W de = /jW ■ CPre 1 (vX ■ CPre 2 (X,W),W) 
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